IA-5(2): Pki-Based Authentication

CSF v1.1 References:

Threats Addressed:

Baselines:

  • Moderate
  • High

Next Version:

Control Statement

The information system, for PKI-based authentication:

  1. Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information;
  2. Enforces authorized access to the corresponding private key;
  3. Maps the authenticated identity to the account of the individual or group; and
  4. Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.

Supplemental Guidance

Status information for certification paths includes, for example, certificate revocation lists or certificate status protocol responses. For PIV cards, validation of certifications involves the construction and verification of a certification path to the Common Policy Root trust anchor including certificate policy processing.